Sharing of Cybersecurity Threat Indicators

The Cybersecurity Information Sharing Act of 2015 (CISA) provided a framework for companies to voluntarily share cybersecurity threat indicators with each other, as well as with the government, to prevent cyber attacks.
We believe this type of sharing is appropriate under some circumstances and encourage companies to be transparent with their users when this occurs.

In the Reporting Period, Bugzilla experienced a security incident, which we reported about on Mozilla’s security blog.
As permitted by law, we voluntarily shared IP addresses associated with the security incident with the Federal Bureau of Investigation (FBI).
Although this occurred prior to the passage of CISA, the IP addresses are examples of cybersecurity threat indicators and relevant for purposes of transparency reporting.

Information about possible child sexual exploitation can be voluntarily reported by anyone to the National Center for Missing & Exploited Children’s (NCMEC) CyberTipline.
We take this issue seriously.
In the Reporting Period, Mozilla disclosed Specific User data to the NCMEC in connection with a Theme that was submitted (but not published) to Firefox Add­ons (“AMO”) and implicated child sexual exploitation.